min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

stub(*): merge dynamically initrds 

For dynamic usecases, e.g. credentials or system extension images, we have a need
for dynamic merging of initrds.
This commit is contained in:
Raito Bezarius 2023-11-15 05:24:59 +01:00
parent 88bcd99ca8
commit e2e8059df2
2 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
rust/uefi/stub/src/fat.rs
View File

@ -51,7 +51,7 @@ pub fn boot_linux(
// image and then parse the PE data structures from it. This is // image and then parse the PE data structures from it. This is
// safe, because we don't touch any data in the data sections that // safe, because we don't touch any data in the data sections that
// might conceivably change while we look at the slice. // might conceivably change while we look at the slice.
let config = unsafe { let mut config = unsafe {
EmbeddedConfiguration::new( EmbeddedConfiguration::new(
booted_image_file(system_table.boot_services()) booted_image_file(system_table.boot_services())
.unwrap() .unwrap()
@ -67,5 +67,16 @@ pub fn boot_linux(
secure_boot_enabled, secure_boot_enabled,
); );
boot_linux_unchecked(handle, system_table, config.kernel, &cmdline, config.initrd).status() let mut final_initrd = Vec::new();
final_initrd.append(&mut config.initrd);
// Correctness: dynamic initrds are supposed to be validated by caller,
// i.e. they are system extension images or credentials
// that are supposedly measured in TPM2.
// Therefore, it is normal to not verify their hashes against a configuration.
for mut extra_initrd in dynamic_initrds {
final_initrd.append(&mut extra_initrd);
}
boot_linux_unchecked(handle, system_table, config.kernel, &cmdline, final_initrd).status()
} }

10
rust/uefi/stub/src/thin.rs
View File

@ -99,7 +99,7 @@ pub fn boot_linux(
let secure_boot_enabled = get_secure_boot_status(system_table.runtime_services()); let secure_boot_enabled = get_secure_boot_status(system_table.runtime_services());
let kernel_data; let kernel_data;
let initrd_data; let mut initrd_data;
{ {
let file_system = system_table let file_system = system_table
@ -135,5 +135,13 @@ pub fn boot_linux(
secure_boot_enabled, secure_boot_enabled,
)?; )?;
// Correctness: dynamic initrds are supposed to be validated by caller,
// i.e. they are system extension images or credentials
// that are supposedly measured in TPM2.
// Therefore, it is normal to not verify their hashes against a configuration.
for mut extra_initrd in dynamic_initrds {
initrd_data.append(&mut extra_initrd);
}
boot_linux_unchecked(handle, system_table, kernel_data, &cmdline, initrd_data) boot_linux_unchecked(handle, system_table, kernel_data, &cmdline, initrd_data)
} }